Cybersecurity Needs in Buildings is Increasing, Can IT Departments Hack It?
Recently we kicked off our annual cybersecurity assessment and training plan for Smith Engineering and BEP Analytics. While the training focused on our IT security posture and defensive and proactive steps, it did cause me to pause as I recalled a building upgrade with a past employer and building projects based around the growing demand for data and smart devices and with it the need to keep that information secure.
At a previous company, our headquarters had decided to undergo a major overhaul of the building’s internal security systems. We completely updated the building with modern technology and smart systems. Below is a list of the state-of-the-art systems the company invested in:
- Auto tinting smart windows (electrochromism), and iPhone applications for user control of temperature and window tinting
- Smart CO2, Light, and Motion Sensors
- Smart Building Automation Platform
- Energy Data Platform
- Smart controls on the Diesel Generator
- Smart Meeting Room Technology
The main goal of the upgrade was to reduce the building’s energy consumption. But the upgrades served another purpose, collecting data. Upgrading the technology in the building made us recognize the power the information wielded, on one hand it helped us as a business to drive real and measurable change, and on the other hand there was a vulnerability we were exposed to if we did not take the time to make sure our information was protected.
This is where IT departments come in. Whether they like it or not, IT departments have become the gatekeepers and are now tasked with bridging the gap between granting access to data while also maintaining confidentiality and security of that data. And unfortunately, it seems like they are still figuring out a good middle ground for accomplishing this task.
There was a customer we engaged with that had a Central Plant with chilled water, co-generation, and steam. We wanted access to their data to help perform required work for the plant. The project got delayed for nearly a year as we waited for IT’s permission for access. The reality was that IT was unaware of the legacy operations and had multiple connections to several 3rd parties and one of those connections included full control for plant dispatch. As the company that was hired to perform work on the plant, we had to wait for data-only access, while full plant control was already external.
Another cybersecurity concern, but different scenario, was when a building owner and lessee, each had vastly different expectations about what data security meant. The lessee was a US government entity with extremely strict security clearances due to the nature of their work, and the building was owned by a private entity. From a government perspective, physical or electronic access was severely limited, with many building occupants having security clearances. The building owner was responsible for maintaining base building systems like the building automation platform, but like all older buildings, the platform was out of date, with parts only available on eBay. The maintenance and support of this system, with no consideration for security, ended up being outsourced with full unrestricted remote access to the maintenance company.
The reality is that the need for remote access and data security is not going away. And the list below is just a few of the valid and required justifications for this need that are not open to a debate or blanket denials from IT:
- Cloud Computing – The entire software industry is moving to the cloud, and this will not change
- Support – As we struggle to maintain staff and the necessary expertise, we will need to outsource
- IoT devices do play a crucial role in optimization at a more granular level
- Complex assets need monitoring to maintain reliability from the manufacturer
- New energy platforms to meet regulatory requirements demand real-time data
But the question is, how do buildings judiciously manage the challenge of accessing and managing their data, while holding IT accountable to protect it? Now is not the time to throw our hands up and surrender to restrictions from IT, there is a solution to this dilemma. Building owners and IT departments need to communicate and understand the requirements of these assets while taking stock and inventory of the past to understand the current risks. These opportunities we have with customers, or even within in our own companies are good starting points to foster these discussions.